An obvious security issue here is I don't want some script kiddy parked at my imap or smtp ports trying password after password for aliases like postmaster, webmaster, hostmaster etc. With the default Zimbra password lockout for an hour after 10 retries, it means that in a 6 month period (before the password is changed again) they could have tried ~43,000 combinations, and worse still, significantly impacted on the person trying to login to the account proper.